In a troubling cybersecurity oversight, The Home Depot, one of the largest home improvement retailers in the United States, inadvertently exposed an internal GitHub access token for more than a year, leaving critical internal systems and source code repositories potentially vulnerable to unauthorized access. The exposure persisted from early 2024 through late 2025, and the issue was only resolved after media intervention following ignored warnings from a security researcher.
What Happened?
In early November 2025, security researcher Ben Zimmermann discovered a publicly exposed GitHub access token that belonged to a Home Depot employee. This token had been inadvertently published online, most likely due to an employee mistake, sometime in early 2024 and remained accessible for nearly a year.
When Zimmermann tested the token, he found it provided full access to hundreds of private Home Depot GitHub repositories. The access included not just read permissions, but write privileges, meaning the token could be used to modify source code, manipulate cloud infrastructure configurations, or change CI/CD pipelines, all core components of Home Depot’s digital infrastructure.
Worse still, the token’s access extended beyond the codebase. According to Zimmermann, it granted access to portions of Home Depot’s cloud infrastructure, including systems linked to order fulfillment, inventory management, and developer pipelines.
Repeated attempts by the researcher to privately notify Home Depot’s security and leadership teams, including messages to the company’s Chief Information Security Officer, went unanswered. Concerned by the lack of response, Zimmermann eventually contacted TechCrunch, prompting public scrutiny and ultimately forcing Home Depot to revoke the token.
Home Depot confirmed that the exposed token has since been revoked and is no longer active, but the prolonged period of exposure highlights a critical failure in credential management and internal security monitoring.
How It Happened
Security researchers believe the token was accidentally published by a Home Depot employee, for example, added to a public code repository, documentation, or other internet-facing location without proper access controls. Once exposed, the token’s permissions allowed anyone who discovered it to authenticate as the employee across internal systems and repositories.
The incident was worsened by Home Depot’s slow or nonexistent initial response to repeated reports. Without an effective vulnerability disclosure program or bug bounty process, the researcher’s warnings were reportedly ignored for weeks or months before the issue was addressed publicly.
What Was at Risk
The leaked GitHub access token posed a broad and serious threat:
- Unauthorized code modification – The token allowed write access to hundreds of private repositories, meaning malicious actors could have changed source code or inserted backdoors.
- Cloud infrastructure access – Because many DevOps workflows are tied to GitHub and cloud providers, attackers could have accessed internal systems such as cloud instances, deployment pipelines, and backend services.
- Operational disruption – With token access, attackers could potentially disrupt order fulfillment, inventory systems, or other mission-critical services.
- Data exfiltration and espionage – Sensitive internal data, intellectual property, or strategic code could have been copied or exposed.
Although no evidence of malicious exploitation has been reported, the potential for undetected abuse during the year the token was active cannot be ruled out.
Recommendations
To prevent similar oversights, the following best practices are critical:
- Implement secret scanning and automated detection across code repositories, cloud environments, and documentation.
- Use ephemeral, short-lived tokens instead of long-lived static secrets.
- Establish a formal vulnerability disclosure or bug bounty program to ensure researchers can report issues securely and directly.
- Conduct regular audits and automated log monitoring to detect unauthorized exposures early.
- Educate developers and engineers on the risks of hard-coded tokens and public disclosure of secrets.
Final Thoughts
The Home Depot token exposure incident is a stark reminder that even mature, well-resourced enterprises can fall victim to basic security mistakes with far-reaching implications. Allowing a powerful access token to remain exposed for over a year, despite repeated warnings, signals broader gaps in monitoring, credential governance, and incident response readiness.
In today’s threat landscape, no credential, human or machine, should be trusted by default. Vigilant secret management, robust reporting channels, and rapid response frameworks are essential to safeguarding digital infrastructure, protecting operational integrity, and maintaining stakeholder trust.
